TLS certificate error with mail host aliases

oneitonitram · March 13, 2024, 8:02pm

just go to settings, TLS certificates, and request the addiitonal certificates you require.

or is it because they have been requested separately that you are having an issue?

if thats the case, then i think dev team would need to implement a way to request same cert for multiple domains

Ted · March 14, 2024, 12:11am

I’ve done this, I think they aren’t being associated with mail.

LayLow · March 14, 2024, 11:59am

Correct, it is just a certificate for a domain that can be resolved correctly and do these do not point to mail.domain.com but to the FQDN provided.

I do not hope the final asnwer is “this is not a task for NS8 but for a firewall”. @davidep could you shed a quick light here pls?

Maybe via Settings → HTTP Routes?

davidep · March 14, 2024, 12:16pm

The certificate obtained by Traefik and passed to Mail does not contain alternative names (imap and smtp in your case), just the Mail server name.

Alternatives could be

uploading a certificate with the alternative names
talk with users and configure mailserver.domain.com everywhere

Ted · March 14, 2024, 1:36pm

Thanks, @davidep Not the answer I was hoping for, but I appreciate the clarity.

oneitonitram · March 14, 2024, 1:45pm

This is so counterintuitive don’t you think?

davidep · March 14, 2024, 1:55pm

According to Traefik docs it seems possible to obtain a certificate with alternative host names: Traefik Let's Encrypt Documentation - Traefik

If somebody want to play with it, load a custom .yml file of Traefik configuration under the configs/ directory, e.g.

runagent -m traefik1
cd configs
vi myconf.yml

IIRC the configuration is reloaded automatically

LayLow · March 14, 2024, 1:58pm

Not that I am the one to have the knowledge, but does this address the root question?

Ted · March 14, 2024, 2:31pm

Hi @davidep

It’s easy to find the certificate-mail.domain.com.yml. Per the docs, I believe the correct syntax would be this:

http:
  routers:
    certificate-mail.domain.com:
      entrypoints: https
      service: ping@internal
      rule: Host(`mail.domain.com`) && Path(`/cd98a9c8-24c2-441b-a6d5-159afe0b1822`)
      priority: '1'
      tls:
        domains:
        - main: mail.domain.com
          sans:
            - "smtp.domain.com"
            - "imap.domain.com"
        certresolver: acmeServer

However, I don’t see any way to check my work. I don’t get any indication the certificate refreshes and so far at least my mail client continues to complain of a bad cert. Is there a way to view the generated cert? Or to “refresh” traefik?

dnutan · March 15, 2024, 1:01am

same meaning as restart? If so, I think it could be similarly as Steph showed us.

runagent -m traefik1
systemctl restart --user traefik.service

Ted · March 15, 2024, 1:10am

Excellent! Yes. That restarted Traefik. Sadly, my config file does not appear to have worked.

Amygos · March 19, 2024, 9:25am

Try with curl -v https://imap.domain.com/cd98a9c8-24c2-441b-a6d5-159afe0b1822

alefattorini · March 19, 2024, 2:26pm

A post was split to a new topic: I feel left behind

Ted · March 19, 2024, 1:01pm

I’m not sure how to read this. My initial look was that all is well with the cert, but it still doesn’t work, so that’s clearly a bad read.

*   Trying xx.xx.xx.xx:443...
* Connected to imap.domain.com (xx.xx.xx.xx) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=imap.domain.com
*  start date: Mar 13 17:26:34 2024 GMT
*  expire date: Jun 11 17:26:33 2024 GMT
*  subjectAltName: host "imap.domain.com" matched cert's "imap.domain.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: imap.domain.com]
* h2 [:path: /cd98a9c8-24c2-441b-a6d5-159afe0b1822]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x127013400)
> GET /cd98a9c8-24c2-441b-a6d5-159afe0b1822 HTTP/2
> Host: imap.domain.com
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/2 404 
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Tue, 19 Mar 2024 12:56:52 GMT
< 
404 page not found
* Connection #0 to host imap.domain.com left intact

alefattorini · March 19, 2024, 2:27pm

A post was merged into an existing topic: I feel left behind

davidep · April 29, 2024, 10:30am

I did an experiment, that seems to work by my side at least to obtain a certificate with alternative names. Curl’s proof:

* Server certificate:
*  subject: CN=nethservice.nethesis.it
*  start date: Apr 29 09:15:43 2024 GMT
*  expire date: Jul 28 09:15:42 2024 GMT
*  subjectAltName: host "mail.nethesis.it" matched cert's "mail.nethesis.it"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

What we were missing is a fix to the rule line:

rule: Host(`mail.domain.com`, `smtp.domain.com`, `imap.domain.com`) && Path(`/cd98a9c8-24c2-441b-a6d5-159afe0b1822`)

Alternative names must be listed inside the Host() matcher, as stated in “Multiple Hosts in a Rule” Traefik Routers Documentation - Traefik

When the file is saved, Traefik picks up the new configuration immediately. However an HTTP request matching the rule is needed to trigger a cert request, as Matteo said:

I’d try for every altName, just to be sure…

This is not needed, and must be use with caution because restarting Traefik might generate too much Acme requests, which leads to the API rate limit cap.

Editing the certificate .yml file manually might break the API responses and the HTTP routes page.

Edit: there’s also another issue by my side: Mail ignores the host name and refuses to reload the certificate. In the Mail log I see:

Apr 29 12:15:45 ns8n5 agent@mail11[2408658]: Event ignored: the certificate does not match our hostname

Ted · April 29, 2024, 12:45pm

I went ahead and gave this a quick go. In case someone else is tracking this, I realized I hadn’t specified a location for the certificate file.

For most it will be in /home/traefik1/.config/state/configs/

That said, while my curl results look good:

Server certificate:
*  subject: CN=smtp.heroesinc.us
*  start date: Mar 13 17:26:50 2024 GMT
*  expire date: Jun 11 17:26:49 2024 GMT
*  subjectAltName: host "smtp.heroesinc.us" matched cert's "smtp.heroesinc.us"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

and

* Server certificate:
*  subject: CN=imap.heroesinc.us
*  start date: Mar 13 17:26:34 2024 GMT
*  expire date: Jun 11 17:26:33 2024 GMT
*  subjectAltName: host "imap.heroesinc.us" matched cert's "imap.heroesinc.us"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

My mail software disagrees:

Screenshot 2024-04-29 at 1.44.33 PM

Maybe it needs a bit of time for things to refresh?

Ted · April 30, 2024, 6:55pm

24-hours later, no change.

davidep · April 30, 2024, 7:13pm

I’m not expecting any change, at least until it expires.

This issue requires further work.

Ted · April 30, 2024, 7:15pm

Ahhh! Makes sense. Thanks for clarifying. Is there not away to manually refresh the certificate?